Forbes just ran an article about a storm of hackers that are coming at us via WordPress. Estimates say 1 in 6 sites on the Internet are powered by WordPress, so that makes it a valuable target by hackers. The so-called “botnet” storm involves hacking into WordPress sites and then using those infected sites to attack other sites.
Forbes outline some tips on how to secure your WordPress site, and we’ve narrowed it down to the top 4 we think are most important. Matt Mullenweg (WP founder) says that if you do just the first 3 you’ll be ahead of 99% of sites out there and probably never have a problem.
1. Avoid Obvious Passwords
A simple check of the security requirements recommended by WordPress will make brute force attacks much more difficult. As Mike Isaac points out in All Things D, “Hackers go after the low-hanging fruit, which is most often found in the novice Web users who don’t take the time to switch from their default login information.” A secure password is a mix of at least eight upper and lowercase letters, numbers and the kinds of ‘special’ characters used to depict curse-words (^%$#@*)!
2. Ditch The Admin Username
The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations. So if you are still using “admin,” create a new user with admin privileges (you will need to use a different email address than the one attached to the current admin) and give it a strong password as defined above. Then log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user. Five minutes, tops.
3. Use Two Factor Authentication on WP.com
If you have a WP.com account, take advantage of their two-step authentication which assures that you are a human logging in, not a bot.
4. Update WordPress
Many hackers exploit holes that have been identified in older versions of WordPress, so keeping your install up to date is another easy way to avoid trouble, though this is not as immediately relevant as the above two action items.
Seriously people, go do this now. A WordPress hack on your site can mean anything from your server failing because of abuse to getting your precious content injected with spam to then getting blocked from Google search results because of that spam. It’s ugly, and these simple steps will go a long way.